diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml new file mode 100644 index 000000000..d45fe97da --- /dev/null +++ b/.github/workflows/trivy.yml @@ -0,0 +1,29 @@ +name: Run Trivy vulnerability scanner + +on: [ push ] + +jobs: + main: + runs-on: ubuntu-latest + strategy: + matrix: + image: ['wis2box-management', 'wis2box-mqtt-metrics-collector', 'wis2box-broker'] + steps: + - name: Checkout code + uses: actions/checkout@v2 + - name: Build docker image ${{ matrix.image }} + run: | + docker build -t ${{ matrix.image }}:test ${{ matrix.image }} + - name: Run Trivy vulnerability scanner on ${{ matrix.image }} + if: always() + uses: aquasecurity/trivy-action@0.20.0 + env: + TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2 + TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1 + with: + image-ref: ${{ matrix.image }}:test + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' diff --git a/wis2box-broker/Dockerfile b/wis2box-broker/Dockerfile index a613d7b22..5357feb3e 100644 --- a/wis2box-broker/Dockerfile +++ b/wis2box-broker/Dockerfile @@ -19,7 +19,7 @@ # ############################################################################### -FROM eclipse-mosquitto:2.0.15 +FROM eclipse-mosquitto:2.0.20 RUN mkdir -p /data/wis2box/mosquitto RUN ln -s /mosquitto /data/wis2box/mosquitto diff --git a/wis2box-broker/entrypoint.sh b/wis2box-broker/entrypoint.sh index 9a71986a9..f3e0f6193 100644 --- a/wis2box-broker/entrypoint.sh +++ b/wis2box-broker/entrypoint.sh @@ -35,4 +35,10 @@ for i in `env | grep -Ee "\> /mosquitto/config/acl.conf done +# set ownership of mosquitto files +chown -R mosquitto:mosquitto /mosquitto + +# set permission of acl.conf to 0700 +chmod 0700 /mosquitto/config/acl.conf + /usr/sbin/mosquitto -c /mosquitto/config/mosquitto.conf